Windows, MacOS and Linux operating systems don't sufficiently protect memory, making it possible for a fake network card to sniff banking credentials, encryption keys and private files, according to new research.

The weaknesses, collectively called Thunderclap, highlight a new class of threats posed by malicious peripherals. The research has been in the works since 2016, and Apple is one of several vendors that have issued software updates as a result.

The Thunderclap research paper

The work focused on the Thunderbolt 3 data transfer standard over USB Type-C connectors. Although operating systems are supposed to only allow a peripheral to have direct memory access for the resources it needs, researchers found that this defense isn't implemented effectively to prevent data theft. The research also covered PCI Express, or PCIe, an older set of device connection and data transfer protocols.

Stealing data this way would require physical access to a device. "The combination of power, video and peripheral-device DMA over Thunderbolt 3 ports facilitates the creation of malicious charging stations or displays that function correctly but simultaneously take control of connected machines," the researchers write.

The research paper from the University of Cambridge, Rice University and SRI International was presented on Tuesday at the Network and Distributed Systems Security Symposium in San Diego. It was co-authored by A. Theodore Markettos, Colin Rothwell, Brett F. Gutstein, Allison Pearce, Peter G. Neumann, Simon W. Moore and Robert N.M. Watson.

Memory Defenses Down

In contrast to regular USB ports, USB-C ports have higher privileges and low-level access to a device. To guard against malicious access, the Input-Output Memory Management Unit, or IOMMU, acts as a gatekeeper for access to the memory.

But the researchers found most systems don't use IOMMU out of the box except for MacOS. Linus and FreeBSD support it, but it is not enabled by default. The Home and Pro versions of Windows 7, 8 and 10 don't support it. The enterprise version of Windows 10 "can optionally use it, but in a very limited way that leaves most of the system undefended," they write.

"This state of affairs is not good, and our investigations revealed significant further vulnerabilities even when the IOMMU is enabled," according to the researchers.

The testing involved creating a fake network card that interacted with operating systems the same way as a real one. The researchers extracted a software model of an Intel E1000 network adaptor from the QEMU open-source system emulator and ran it on a field-programmable gate array.

Then the researchers observed what the fake network card could see, which disturbingly included plaintext data over a VPN and traffic from Unix domain sockets.

On MacOS and FreeBSD, it was possible to start arbitrary programs as a system admin. On MacOS, the fake card could read keystrokes coming from a USB keyboard. On Linux, it had access "to sensitive kernel data structures," the researchers write. "Worst of all, on Linux, we could completely bypass the enabled IOMMU simply by setting a few option fields in the messages that our malicious network card sent."

Fixes in the Pipeline

The research has been ongoing since 2016, and vendors have been issuing mitigations. But the researchers warn the newly discovered risk represents a new space of vulnerabilities, and others may lurk.

"We believe that all operating systems are vulnerable to similar attacks and that more substantial design changes will be needed to remedy these problems," the researchers write. "We noticed similarities between the vulnerability surface available to malicious peripherals in the face of IOMMU protections and that of the kernel system call interface, long a source of operating system vulnerabilities."

In 2016, Apple fixed a vulnerability that the researchers had exploited to gain administrator access in MacOS version 10.12.4.

Improvements for Windows also have been made. For laptops that ship with Windows 10 version 1083, IOMMU is enabled within a feature called Kernel DMA Protection for Thunderbolt 3, the researchers note. But the protection doesn't extend to PCIe. Older Windows machines that ship before version 10833 are still vulnerable.

Intel has also developed Linux patches to turn on IOMMU for Thunderbolt devices, which will be wrapped into the forthcoming 5.0 Linux kernel.

But until there's a more uniform implementation across operating systems for IOMMU, the advice from the researchers is familiar: "We advise users to update their systems and to be cautious attaching unfamiliar USB-C devices to their machines - especially those in public places."

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.